1. At a high level, if an attacker can generate a valid quote for a machine that is not a SGX processor, then the attacker can learn private user data. Without a way of being able to identify legitimate SGX processors, the client may start running the key exchange protocol with a non-SGX machine controlled by the attacker. The attacker can choose some key k_w, encrypt it under the user’s public key, and send back a valid quote that includes the encryption of k_w. The user will then send other secret keys encrypted under the key k_w that will later be used to encrypt the private job data. 

2. The attacker can look at the sizes of ciphertexts to learn the encrypted sizes of the code, input splits, intermediate key-value pairs, and output key-value pairs. The attacker can also learn how keys are repeated in intermediate key-value pairs at the level of granularity of mappers and reducers. VC3 is also vulnerable to replay attacks when using the in-band version of key exchange that is compatible with Hadoop.